Arctic Wolf Labs observed more than 10,000 newly registered World Cup-themed domains since January 2026, alongside mobile-first scams pushing victims from seemingly clean social media posts into Whatsapp, Telegram, and Discord where fraud and malware delivery are harder to detect. Researchers also identified campaigns designed to launch malicious links just minutes before matches, capitalising on fan excitement and urgency.

Key findings from the threat research include:

• AI is expanding attack automation. Since January 2026, Arctic Wolf observed more than 10,000 World Cup themed domains pop up, at a rate of roughly 2000 new domains per month. Not all are malicious, but with generative AI now producing the sites, the content and even the apps, attack automation has reached a new level.

• The threat has moved to the phone. The dominant attack surface of 2026 is the mobile device. Lures live as deceptively "clean" posts on social media, which then funnel victims into Whatsapp, Telegram or Discord. This is where the actual fraud or malware delivery happens, out of sight of platform moderation and in an environment where users trust what they see and cyber defences are weaker.

• Timing is a weapon. Many malicious operations are designed to detonate at the last moment. Channels recruit subscribers with a promise to drop a "free stream" link five minutes before each match begins: the timing banks on excited fans not stopping to check whether a link is malicious.

• Organisers are being targeted, not just fans. Arctic Wolf identified a weaponised "Employee Handbook" PDF aimed at staff of a U.S. host city, and a cluster of fake "FIFA careers" sites engineered to steal corporate Google Workspace accounts. This demonstrates targeting of the event's own supply chain.

• The desktop infostealer is alive and well. Arctic Wolf found a World Cup ticket lure which delivers a Windows stealer that exfiltrates everything of value on a victim machine to attacker-controlled Telegram and Discord channels.